Data Breach Notification Bill Moves Forward

A national data breach law is moving closer to passage, despite fierce opposition from consumer groups.

Passed out of the House Financial Services Committee on a 48-17 vote late last week, the Financial Data Protection Act of 2005 (H.R. 3997) allows data brokers and other companies to conduct an investigation of a breach and determine if notification to consumers is necessary.

The bill also allows companies that choose to protect their data with encryption to take that into consideration when determining if consumer notification is necessary in the aftermath of a breach.

"We think consumers should be notified in case of a breach and it shouldn't be left to the companies to decide," Susanna Montezemolo, a policy analyst with Consumers Union, told internetnews.com.

The legislation also pre-exempts any state laws mandating breach disclosures to consumers. According the Consumers Union, 11 states currently have stricter notification standards than H.R. 3997, including a California law that has resulted in numerous consumer notifications over lost data tapes and database breaches.

The furor over those disclosures prompted Congress to begin considering a national breach notification law.

"It is ironic that after a year in which over 55 million Americans' identities were put at risk through preventable data breaches, the House Financial Services Committee would repeal state laws that have protected consumers from identity theft," Montezemolo said.

Under the bill, if a company conducts a "reasonable" investigation after a breach and determines no "harm" to consumers occurred, the companies are not obligated to inform consumers of the breach.

Related Articles

The bill defines harm as "material financial loss to or civil or criminal penalties imposed on the consumer or the need for the consumer to expend significant time and effort to correct erroneous information relating to the consumer."

"Today, the Financial Services Committee voted for the worst data security bill ever," Ed Mierzwinski of the U.S. Public Interest Research Group said in a statement.

"Rather than voting to protect consumers, the committee made things worse. All consumers should have the right to sleep at night without worrying about identity theft. This bill takes us in the wrong direction."

In an e-mail statement to internetnews.com, bill sponsor Steven LaTourette of Ohio said: "We have crafted a balanced bill that makes sure companies safeguard their sensitive information and ensures that consumers are fully protected if data is breached."

A LaTourette spokesman added in an interview, "The bill did pass in committee overwhelmingly on a bipartisan vote."

Mierzwinski said if LaTourette's bill had been in place at the time of ChoicePoint's data breach, consumers would have never heard about it.

Montezemolo said her organization much prefers the Personal Data Privacy and Security Act of 2005 (S. 1789) passed by the Senate Judiciary Committee in November.

That legislation also allows companies to avoid notifying consumers of breaches if there is no significant risk of identity theft.

However, the bill mandates that if a company decides there is no risk to consumers, the company must file a written report to the U.S. Secret Service, which can conduct its own investigation.

"What we like is that there is a process and something gets put in writing," Montezemolo said.